Building a Linux Firewall

In this tutorial, you'll learn how to build a Linux iptables firewall from scratch. DSL and cable Internet users, they also work for T1/E1 customers.
In fact, a Linux box with a T1 interface card is a great alternative to expensive
commercial routers. If you're a normal business user and not an ISP that needs Buicksized
routers handling routing tables with hundreds of thousands of entries, then
Linux on good-quality x86 hardware will serve your needs just fine.

A Linux border firewall can provide security and share an Internet connection for a
whole LAN, which can contain Linux, Windows, Mac, and other PCs. A host
firewall protects a single PC. There are a multitude of hardware choices for your firewall
box, from small single-board computers, to recycled old PCs, to rackmount
units. Any Linux distribution contains everything you need to build a sophisticated,
configurable, reliable firewall on any hardware.

Definitions and roles get a bit blurry, as an iptables firewall does both packet filtering
and routing. You could call it a filtering router. iptables is the key to making everything work.

Firewalls and routers are often combined on the same device, which is often called
an Internet gateway. Strictly speaking, a gateway moves traffic between networks that
use different protocols, such as NETBEUI and TCP/IP, which is not something we
see much anymore. These days, it means any network devices that connect networks.

Routers forward traffic between networks. You always need a router between your
LAN and other networks. You may also add intrusion detection, traffic control,
proxies, secure remote access, DNS/DHCP, and any other services you want, though
in my opinion, it's better to limit your firewall to routing, firewalling, and traffic control.
Other services should sit on separate boxes behind your Internet firewall,
though of course this is up to you. In small shops, it's not uncommon for a single
box to host a multitude of services. The risks are that any successful intruder will
have a feast of yummy services to exploit, or you may simply overload the box to the
point that performance suffers.

Any computer or network device that is exposed to untrusted networks is called a
bastion host. Obviously, bastion hosts have special needs-they must be wellhardened,
not share authentication services with your LAN hosts, and must have strict access controls.

Separating Private and Public

If you are going to run Internet-accessible services, you need to isolate your public
servers from your private LAN. If you are sharing a single Internet connection, the
simplest way is to build a tri-homed (three network interfaces) Linux router; one
NIC connects to the Internet, the second one connects to your LAN, and the third
one connects to your demilitarized zone (DMZ). A demilitarized zone is a neutral
zone between two opposing groups. In computer terms, it's a separate subnet where
you segegrate your public servers from your private LAN hosts, and your DMZ hosts
are treated as only slightly less untrustworthy than the big bad Internet.

Simply placing your public servers on a different subnet adds a useful layer of protection.
DMZ hosts are not able to initiate connections back into the private network
without being explicitly allowed to do so. If a DMZ server is compromised, an
attacker should not find a path into your private network.

It doesn't matter if your DMZ hosts have public or private IP addresses. Never run
public services from inside your LAN. The last thing you want to do is introduce a
big fat Internet hole into your LAN.

If your servers have public routable IP addresses, then you may elect to connect them
directly to the Internet or on a separate Internet connection. Host firewalls are useful
for restricting traffic to the server and blocking the zillions of automated attacks that
infest the Internet. A nice thing is a standalone firewall in front of your public servers
to filter out unwanted traffic before it hits them.

Windows Security

While firewalls are useful, remember to give a lot of attention to your applicationlevel
and OS security. Some admins recommend configuring your servers as though
you have no firewall, and that is a good strategy. Linux and Unix servers can be
hardened to the point where they really don't need a firewall. Windows systems are
impossible to harden to this degree. Nor is a firewall a cure-all. A nice strong iptables
firewall is a good umbrella to place over Windows hosts, but a firewall will not protect
them from email-borne malware, infected web sites, or the increasing hordes of
spyware, adware, Trojan horses, and rootkits that come in legitimate commercial
software products, or the inability of commercial security products to detect all the bad stuff.